Linkable Message Tagging Solving the Key Distribution Problem of Signature Schemes Felix Günther Technische Universität Darmstadt Germany Bertram Poettering Ruhr-Universität Bochum Germany June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 1
Sending Letters back in ancient times... Dear Bob, I wanted to......... Alice Dear Alice, thank you for......... Bob authentication through signatures June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 2 drawings by Giorgia Azzurra Marson
Sending Letters today... Dear Bob, sk A sk B Dear Alice, I wanted to......... Alice thank you for......... Bob σ A Sign(sk A,... ) σ B Sign(sk B,... ) authentication through digital signatures June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 3
Sending Letters today... Dear Bob, I wanted to......... Alice But: Alice and Bob might not even know each other prior to communicating sk A, vk B sk B, vk A Dear Alice, thank you for......... Bob sk A, vk B sk B, vk A σ A Sign(sk A,... ) σ B Sign(sk B,... ) Verify(vk B,..., σ B ) Verify(vk A,..., σ A ) How to authentically distribute keys? June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 3
Approaches So Far (Selection) (Hierarchical) PKIs (X.509) certificates issued by CAs bind keys to identities HTTPS-secured web, S/MIME email encryption/signing large number of (trusted) root and intermediate CAs unclear trust relations / CA compromises (DigiNotar, TURKTRUST,... ) revocation seems difficult (Social) PKIs web of trust, personally signing keys OpenPGP Alice Bob Charlie Dave scalability, time-consuming/error-prone authentication ( key signing parties ) privacy issues (reveals social relationships) June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 4
Approaches So Far (More Academic Selection) Identity-Based Signatures (Shamir 1984) public key = identitiy of a user (e.g., vk A = "Alice") inherent key escrow problem (master key which can decrypt everything) Certificateless Signatures (Al-Riyami, Paterson 2003) hybrid between PKI and identity-based user obtains partial private key to complete on her own still requires some trust in (and existence of) central party Message Recognition (Weimerskirch, Westhoff 2003) method to recognize each others messages as authentic requires prior exchange of small amount of authentic data June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 5
A Novel Approach: History-Based Message Authentication vk B vk A Goals detect forged messages given a single authentically delivered message (unknown which one it is) without explicit exchange of verification keys New tool: Linkable Message Tagging June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 6
Linkable Message Tagging Syntax tk A τ 1 Tag(tk A, m 1 ) τ 2 Tag(tk A, m 2 ) m 1, τ 1 m 2, τ 2 m n, τ n τ n Tag(tk A, m n) Link(m 1, τ 1, m n, τ n) = 1 LMT Scheme KGen(1 λ ): Generate a tagging key tk. Tag(tk, m): Output a tag τ for a message m. required to be an equivalence relation Link(m 1, τ 1, m 2, τ 2 ): Output 0 or 1. (short for 1: (m 1, τ 1 ) (m 2, τ 2 )) Intuition: 1 iff (m, τ)-pairs created with same key. June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 7
Linkable Message Tagging Security tk A τ 1 Tag(tk A, m 1 ) τ 2 Tag(tk A, m 2 ) τ n Tag(tk A, m n) m 1, τ 1 m 2, τ 2 m n, τ n same-origin relation via Link (m, τ )! (m i, τ i ) (Existential) Unforgeability Adversary seeing tags τ i for messages m i of its choice is not able to forge a new tag τ for an unseen message m such that (m, τ ) (m i, τ i ) for any (m i, τ i ). strong unforgeability: τ can be for a previously seen message m i June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 8
Linkable Message Tagging Envisioned Application Envisioned application: automated email authentication easy-to-use and fully-automated cryptographic authentication of email automatically set up tagging keys (on first use) automatically tag all outgoing emails automatically visually group incoming emails (according to relation ) advantages: everything fully automatic (no user interaction required) no exchange of verification keys needed unforgeability guarantees: adversarial emails are grouped separately June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 9
Linkable Message Tagging A Construction BLS-LMT scheme based on BLS signatures (Boneh, Lynn, Shacham 2001) Ingredients: (symmetric) bilinear group G = g (prime order q) with map e : G G G T hash function H : {0, 1} G \ {1} KGen(1 λ ): x $ Z q, output tk = x. Tag(tk, m): Output a τ = H(m) tk = H(m) x. Link(m 1, τ 1, m 2, τ 2 ): Output 1 if e(h(m 1 ), τ 2 ) = e(h(m 2 ), τ 1 ). Correctness: (in particular Link establishes equivalence relation) (m 1, τ 1 ) (m 2, τ 2 ) e(h(m 1 ), H(m 2 )) tk2 = e(h(m 2 ), H(m 1 )) tk1 tk 1 = tk 2 Security: BLS-LMT is strongly unforgeable if CDH is hard in G, in the ROM (proof via strong unforgeability of BLS signatures) June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 10
Linkable Message Tagging Generic Relation with Signatures recall: LMT is not a public key primitive! natural and efficient transformations between LMT and signature schemes + perhaps surprising, interesting theoretical relation little hope for practical construction from symmetric primitives only Signature LMT basic idea: use signing key as tk and include verification key in tag: τ = (σ, vk) several design choices for admissible equivalence relations defined by Link inherits signature scheme s (existential/strong) unforgeability LMT Signature basic idea: use tk as sk and distinct tag as verification key: vk = Tag(tk, "0") signature verification through Link-ing with verification key again preserves (existential/strong) unforgeability June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 11
Automated Email Authentication Revisited tk A τ 1 Tag(tk A, m 1 ) τ 2 Tag(tk A, m 2 ) m 1, τ 1 m 2, τ 2 m n, τ n τ n Tag(tk A, m n) Link(m 1, τ 1, m n, τ n) = 1 in envisioned automated email authentication: Link must be checked with (m, τ) from each origin/ -group would be nice if origin was efficiently identifiable June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 12
Classifiable Message Tagging Syntax tk A τ 1 Tag(tk A, m 1 ) τ 2 Tag(tk A, m 2 ) m 1, τ 1 m 2, τ 2 τ n Tag(tk A, m n) m n, τ n Classify(m n, τ n) = cid CMT Scheme KGen(1 λ ): Generate a tagging key tk. Tag(tk, m): Output a tag τ for a message m. Classify(m, τ): Output a class identifier cid. Intuition: each tk corresponds with one specific cid tk. (existential/strong) unforgeability defined as expected June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 12
Classifiable Message Tagging Generic Relations CMT schemes are special LMT schemes by defining: Link(m 1, τ 1, m 2, τ 2 ) = 1 Classify(m 1, τ 1 ) = Classify(m 2, τ 2 ) but not all LMT schemes have CMT analogues e.g., BLS-LMT: cid tk could be tk or g tk, contradicting DLP/CDH Signature CMT again: use signing key as tk and include verification key in tag: τ = (σ, vk) use class identifier cid = vk CMT Signature use class identifier as verification key vk = cid tk June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 13
Classifiable Message Tagging A Highly Efficient Construction Schnorr-CMT scheme based on Schnorr signatures (Schnorr 1990) Key insight: Schnorr vk can be reconstructed from any valid signature KGen(1 λ ): tk = Schnorr signing key Tag(tk, m): τ = Schnorr signature Classify(m, τ): Output cid = Schnorr verification key, reconstructed from τ Security: Schnorr-CMT is strongly unforgeable if DLP is hard, in the ROM (proof via strong unforgeability of Schnorr signatures) Efficiency: 50,000 classifications/sec on a current high-end CPU using elliptic-curve-based Ed25519 (Bernstein et al. 2011) June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 14
Summary History-based message authentication: side-stepping the key distribution problem. We introduce linkable message tagging, authenticating messages without pre-shared verification keys or PKI τ1 Tag(tkA, m1) τ2 Tag(tkA, m2) tka m1, τ1 m2, τ2 mn, τn τn Tag(tkA, mn) Link(m1, τ1, mn, τn) = 1 identify the practical subclass of classifiable message tagging explore the generic relation between LMT/CMT and signature schemes provide efficient constructions In the full version (eprint 2014/014) CMT scheme without random oracles from Waters signatures on DSA- and ECDSA-based CMT schemes on CMT schemes from Fiat-Shamir transformed signatures do S/MIME and OpenPGP lead to efficient CMT schemes? Thank You! June 30, 2015 ACISP 2015, Brisbane, Australia Felix Günther (TU Darmstadt) 15